# Services Based Pentest Checklist

Symfony PHP

* [ ] Symfony Profiler Enabled ``` /app_dev.php /app_dev.php/_profiler /_profiler /_profiler/latest /_profiler/search /_profiler/phpinfo /_profiler/{token} /_wdt/{token} /app_example.php /app_test.php /index_dev.php /config.php /_configurator/ /_configurator/steps /_configurator/step/{index} ```

Laravel

* [ ] Laravel Debug Mode / Telescope / Ignition / Horizon / Pulse ``` /.env /_debugbar /_debugbar/open /_debugbar/clockwork/{id} /telescope /telescope/requests /telescope/exceptions /ignition/execute-solution /ignition/update-options /horizon /horizon/api/* /pulse ```

WordPress

* [ ] WordPress Debug / Config / XMLRPC / Users Enum ``` /wp-config.php /wp-config.php~ /wp-config.php.bak /wp-config.php.old /wp-admin/install.php /xmlrpc.php /wp-json/wp/v2/users /wp-json/wp/v2/users/{id} /readme.html /license.txt /wp-includes/version.php ```

Django

* [ ] Django Debug Mode / Admin / Debug Toolbar ``` /.env /admin /admin/login /debug /__debug__ /static/debug_toolbar/ /djdt/ /djdt/debug_toolbar ```

Rails

* [ ] Rails Console / Info / DB / Pwned ``` /rails/info/properties /rails/console /rails/db /pwned /.env /config/database.yml ```

Express.js / Node.js

* [ ] Debug Routes / Env / Config Exposure ``` /.env /debug /trace /env /config /status /version ```

Flask

* [ ] Flask Debug Mode / Console ``` /.env /console /debug /flask.debug /_debug ```

GraphQL

* [ ] Introspection Enabled / IDEs ``` /graphql /graph /graphiql /graphql/console /graphql.php /graphiql.php /api/graphql /v1/graphql /v1/explorer /v1/graphiql /altair /playground /graphql-playground /graphiql/fiddle ```

Next.js

* [ ] Next.js Debug / Env / Dev Files ``` /.env /.env.local /.env.production /_next/static/development /api/debug /.next/ ```

Strapi

* [ ] Strapi Admin / Dashboard / Env ``` /admin /dashboard /.env /strapi /plugins/users-permissions ```

Spring Boot

* [ ] Actuator Endpoints / Jolokia / Hawtio ``` /actuator /actuator/env /actuator/beans /actuator/mappings /actuator/health /actuator/info /actuator/heapdump /actuator/threaddump /actuator/loggers /actuator/conditions /jolokia /jolokia/exec /hawtio /api/hawtio ```

ASP.NET

* [ ] Debug / Trace / Config Exposure ``` /trace.axd /elmah.axd /Web.config /web.config.bak /web.config~ /App_config/connectionStrings.config ```

PHP General

* [ ] PHP Info / Config / Backups ``` /phpinfo.php /info.php /test.php /php.ini /php.ini~ /php.ini.bak /server-status /server-info ```

Apache

* [ ] Server Status / Info / Mod Pages ``` /server-status /server-info /mod_status /.htaccess /.htpasswd ```

Nginx

* [ ] Status / Stub Status ``` /nginx_status /status /stub_status ```

Tomcat

* [ ] Manager / Host Manager / Examples ``` /manager/html /host-manager/html /examples /docs /admin ```

Kibana

* [ ] Kibana Dashboard / Timelion / Console ``` /app/kibana /app/timelion /app/console /api/console ```

Elasticsearch

* [ ] Cluster Info / Indices / Cat APIs ``` /_cat /_cat/indices /_cat/nodes /_cluster/health /_nodes/stats /*/_search ```

MongoDB

* [ ] Mongo Express / Admin UI ``` /dbadmin /mongo /admin/mongo /me ```

Redis

* [ ] Redis CLI / Web UI ``` /redis /phpredisadmin /redis-cli ```

Docker

* [ ] Docker API / Registry / Swarm ``` /_ping /v1.41/info /v1.41/containers/json /v2/_catalog ```

Swagger / OpenAPI

* [ ] Swagger UI / OpenAPI Docs Exposure ``` /swagger /swagger-ui /swagger-ui.html /swagger-ui/index.html /api-docs /v2/api-docs /v3/api-docs /openapi.json /openapi.yaml /redoc ```

Grafana

* [ ] Grafana UI / Public Dashboards / Health ``` /grafana /grafana/login /grafana/public-dashboards /public-dashboards /api/health /api/search ```

Prometheus

* [ ] Prometheus UI / Targets / Metrics ``` /graph /targets /service-discovery /metrics /api/v1/status/config /api/v1/targets ```

phpMyAdmin / Adminer

* [ ] Database Admin Panels Exposed ``` /phpmyadmin /phpMyAdmin /pma /dbadmin /adminer /adminer.php ```

MinIO

* [ ] MinIO Console / Health Endpoints ``` /minio /minio/login /minio/health/live /minio/health/ready ```

General Misconfig Checks

* [ ] Environment Files ``` /.env /.env.local /.env.production /.env.example /config.php /configuration.php /settings.php ``` * [ ] Backup / Source Files ``` /*.bak /*.old /*.txt /*~ /backup /backups /*.sql /*.zip /*.tar.gz ``` * [ ] Directory Listing / Uploads ``` /uploads/ /files/ /assets/ /static/ /media/ /user_uploads/ ``` * [ ] Git / SVN Exposure ``` /.git/ /.git/HEAD /.git/config /.svn/entries /.hg/ ```

Postman API Platform

* [ ] Public Workspaces ``` https://www.postman.com/{companyName}/?tab=workspaces ```

Salesforce

* [ ] Salesforce Lightning Aura Components Enabled ``` - Test: POST /aura HTTP/2 Host: {TARGET}.lightning.force.com Content-Type: application/json {} ------------------------ - FQDNs: *.force.com *.secure.force.com *.live.siteforce.com --------------------------- - Other Endpoints /sfsites/aura /s/sfsites/aura ```

Trello

* [ ] View Permissions on Trello Boards ``` site:trello.com "company" https://trello.com/b/{BOARD_ID} ```

Figma

* [ ] View access misconfiguration ``` https://www.figma.com/file/{DesignID}/{DesignFileName} ```

Freshworks Freshservice

* [ ] Open User Registration ``` https://.freshservice.com/support/signup ```

Slack

* [ ] No Admin Approval for Invitations To check if you have permissions to invite a new member: 1. Sign in to your Slack Workspace 2. Open any channel 3. Click on **Add people** 4. A popup will open up, enter the user's email address 5. Finally, click **Add** These reproduction steps prove that you're able to invite new members without approval from an administrator. ![](https://bugology.intigriti.io/misconfig-mapper-docs/~gitbook/image?url=https%3A%2F%2F867675796-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FHax8VYP6nSo5n66iSR0Z%252Fuploads%252Fgit-blob-de8e86fddf7e79b52a5ffa21a075887e53797106%252Fimage%2520%285%29.png%3Falt%3Dmedia\&width=768\&dpr=4\&quality=100\&sign=3559249d\&sv=2)

Atlassian Bitbucket

* [ ] Publicly Accessible Private Repositories ``` https://bitbucket.org/{WORKSPACE_ID} site:bitbucket.org inurl:/workspace/projects ```

Atlassian Confluence

* [ ] [Anonymous access to Remote API](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-confluence/anonymous-access-to-remote-api) {% code overflow="wrap" %} ```http ## XML-RPC HTTP Request to retrieve a specific page for example: POST /rpc/xmlrpc HTTP/1.1 Host: confluence.example.com Content-Type: text/xml ... confluence2.getPage {SPACE_KEY} {PAGE_TITLE} -------------------------------- ## Curl: curl -X POST -H 'Content-Type: text/xml' -d 'confluence2.getPage{SPACE_KEY}{PAGE_TITLE}' http://confluence.example.com/rpc/xmlrpc ------------------------------------ ## SOAP: /rpc/soap-axis/confluenceservice-v2 ``` {% endcode %} * [ ] [Disabled XSRF Protection](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-confluence/disabled-xsrf-protection) {% code overflow="wrap" %} ``` In case XSRF Protection is turned off, bad actors could post comments on other user's behalf by just sending them a link to an attacker controlled site that replicates the POST request. ``` {% endcode %} * [ ] [User Email Visibility](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-confluence/user-email-visibility) {% code overflow="wrap" %} ``` There is no specific testing procedure for this misconfiguration. Email addresses are visible next to the user's name on posts for example. ``` {% endcode %} * [ ] [Misconfigured Spaces](https://github.com/intigriti/misconfig-mapper-docs/blob/gitbook/services/atlassian-confluence/misconfigured-spaces.md) {% code overflow="wrap" %} ``` Visit the following application route to check if anonymous users can view and read any information on Confluence Spaces: https://.atlassian.net/wiki/spaces ``` {% endcode %}

Atlassian Jira

* [ ] [Open User Registration](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-jira/open-user-registration) {% code overflow="wrap" %} ``` You can cross-check if user registration is open for anyone by navigating to the following app route: /secure/Signup!default.jspa ``` {% endcode %} * [ ] [Misconfigured Email Visibility](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-jira/atlassian-jira-email-visibility) {% code overflow="wrap" %} ``` Open up any user's profile in your Jira instance as an anonymous user and verify that you can view the email address of the user. ``` {% endcode %} * [ ] [Open Service Desk registration](https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-jira/atlassian-jira-service-desk-open-signups) {% code overflow="wrap" %} ``` Navigate to the following app route and check if signups are enabled: /servicedesk/customer/user/login ``` {% endcode %}

AWS S3

* [ ] Misconfigured List Permissions ``` aws s3 ls s3://{BUCKET_NAME} --no-sign-request ```

Cloudflare R2

* [ ] R2.DEV Enabled {% code overflow="wrap" %} ``` You can make use of search syntaxis supported by several popular search engines like Google to enumerate R2 buckets belonging to your target company or organization: site:.r2.dev "company" ``` {% endcode %}

Google Groups

* [ ] Misconfigured read permissions ``` site:groups.google.com "{companyName}" ```

Google Docs

* [ ] Misconfigured read permissions ``` https://docs.google.com/document/d/{documentId}/edit ```

Google Cloud Storage Bucket

* [ ] Misconfigured access controls {% code overflow="wrap" %} ``` https://{companyName}.storage.googleapis.com/ https://storage.googleapis.com/{companyName} Indexing can also be allowed, to cross-check, you can make use of search filters that search engines like Google provide: site:storage.googleapis.com "{companyName}" ``` {% endcode %}

Google OAuth

* [ ] Unrestricted email domains {% code overflow="wrap" %} ``` https://accounts.google.com/o/oauth2/v2/auth? response_type=code& client_id=1234.apps.googleusercontent.com& ... hd=company.com -------------------------------- Change it to example.com: -------------------------------- https://accounts.google.com/o/oauth2/v2/auth? response_type=code& client_id=1234.apps.googleusercontent.com& ... hd=example.com ``` {% endcode %}

Jenkins

* [ ] Open Signups ``` - Enumerate jenkist subdomains jenkist.domain.com - Check those endpoints /signup /jenkins/signup ``` * [ ] Public Groovy Script Console {% code overflow="wrap" %} ```bash - Check if Groovy Script Console is publicly accessible: /script --------------------------------- - Test: curl -s 'https://jenkins.{HOST}/script' -X 'POST' --data 'script={SCRIPT}' or: curl -s 'https://jenkins.{HOST}/scriptText' -X 'POST' --data 'script={SCRIPT}' ``` {% endcode %}

GitLab

* [ ] Gitlab Private Source Code Snippets Exposed {% code overflow="wrap" %} ``` /explore/snippets ``` {% endcode %}

Drupal

``` - Brute Force IDs /node/{ID} ```

### Automation {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sallam.gitbook.io/sec-88/web-appsec/services-based-pentest-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.